Hi. My name is Patrick Regan. Welcome to the Security, where we discuss security with a focus on how it affects the computer, and the services and resources that the computer connects to. In Part 12 Configuring SOHO Routers and Wireless Hubs, where we discuss the security side of home routers, switches and wireless access points. We will discuss what you should do when you first get your router, switch or firewall, universal plug and play, wireless access authentication and encryption, wireless
interference, wardriving, IP filtering, content filtering, screen subnets (also known as DMZ), and port forwarding. For those who are going to take the A+ exam, there are practice questions at the end of the video. If you have not already, subscribe to the PatHasYourBack channel. Small-Office/Home-Office LAN (SOHO) is a small computer network usually built of one Ethernet switch, one router, and one wireless access point. You can find wireless access point/routers that consists of an Ethernet sw
itch, a router and a wireless access point. SOHO network is a common local-area deployment for homes and small offices. A wireless network that consists of an access point and some wireless devices including laptops, tablets, and smartphones. Provides mobility within a limited geographic area
Usually uses 802.11 technology Multiple access points can be linked
And Wireless bridges might be used to connect devices between two buildings Here is another sample SOHO network where your cable provider
connects their services to a coaxial cable jack. You then use the coaxial cable to connect to your router/wireless access point, which will provide your WAN connection and connection to the Internet. You would then connect your computers to your built-in switch or use wireless connections. When you acquire a router, switch or wireless access points, including any combination devices, they will come with a default password. Hackers will try the default passwords for these devices. These passwords
grant full administrator access. Therefore, it is very important that you change the default passwords before you do anything else. Many major breaches occurred because the default password was not changed on these types of devices. If you don’t know your default password, you can go to routerpasswords.com. Common default username and password is admin/admin, admin or root and no password Similar to computers, routers, switches, wireless access points and firewalls have firmware, which contains
the built-in device software. Similar to computers, updates are provided by the manufacturer, and can fix bugs, introduce new features and provide security patches. It is recommended to install the latest Firmware and you should check for updates and update the firmware on a regular basis. Universal Plug and Play (UPnP) is a network protocol that allows apps and devices to open and close ports automatically in order to connect with each other. UPnP requires zero configuration, whereas you can a
dd a new device to your network and have it automatically connect with your other devices. UPnP is a way to make port forwarding automated and easier than a manual process. For example, if you want to connect a printer to everyone in your household without UPnP, you would need to connect the printer to every single device. UPnP automates this. For networks, zero-configuration means that none of the devices on your network need manual configuration to discover a new device. UPnP-enabled devices c
an automatically join a network, obtain an IP address, and find and connect to other devices on your network, making it very convenient. No approval is needed. Since no approval is needed, and you don’t know what can automatically be added to your network, it is best practice to disable UPnP. It can also be used to remote access to other devices connected to the same network, install malware on your device, and steal your sensitive information. Home routers will have a minimum two connections: W
AN connection, which allows connection to the Internet, which is provided by your Internet Service Provider (ISP). One or more LAN connections usually consisting of multiple Ethernet connections and/or wireless connections. Most ISPs will dynamically allocate WAN addresses. However, some ISP packages will allow you to have a static IP address, which typically cost more money. If your home router has a static IP address, your corporate IT team will always know the IP address. Most wireless access
points and home routers can provide DHCP (automatic) services to automatically assign IP addresses to the clients that connect to the access points and home routers. Static addresses are more difficult since you need to manually configure each IP addresses and related settings. DHCP addresses make it easier to connect devices to the network by automatically configure IP. You can use address reservations so that a device can always get the same IP address. Address reservations are assigned to MA
C addresses of the device. Routers, switches, and firewalls in corporations and organizations should be secure, usually in a secure room, such as a server room or telecom closet with locked doors and restricted access. Some of the equipment in the server room could be in a locked cabinet For wireless networks, popular frequency bands the FCC has assigned for unlicensed use are 2.4 GHz and 5.0 GHz Use of these bands does not require filing with the FCC The 2.4 GHz band slower but can reach furthe
r The 5 GHz band is faster and does not penetrate objects like walls or doors as well as 2.4 GHz. If you're in the same room as your router, and your machine has a direct line of sight, 5 GHz will most likely give you the best performance, unless you have interference. Each range is divided into a multitude of channels. The 2.4 and 5.0 GHz Wi-Fi signal range comprises smaller bands or channels. For 2.4 GHz the United States, any Wi-Fi channels 1 through 11 can be chosen when setting up a wireles
s LAN (WLAN). There are overlapping of channels
Channels 1, 6 and 11 are distinct channels that don’t overlap with each other. For 5 GHz, there are 25 channels with no overlapping. Some wireless access points will automatically find good frequencies. Wireless access points need to be secure too, but the security does have limited by the need to provide coverage. You may consider placing the wireless access points in a secure room, but they usually need to be placed where they can cover the clien
ts. Therefore, install your APs in a central location away from any corners, walls, or other physical obstructions (If possible) to provide maximum signal coverage. For larger places and/or multiple floors, you may need to place multiple access points. You may consider placing them in high points in the office or building. Remember, that you may need to power cycle the wireless access points. Interference is a risk of running a wireless network and can bring down the network’s performance and av
ailability. To help avoid interference, you should place the access points as far away from devices, such as microwaves, cordless phones, and Bluetooth devices that generate electromagnetic signals and radio waves. If your AP supports dual-band or tri-band operation, use the 5GHz band instead of the 2.4GHz band whenever possible. The 5GHz band typically experiences less interference due to fewer devices operating on that frequency. Remember that concrete, brick and other dense materials can bloc
k Wi-Fi signals. And even less dense material will reduce the range of the radio signals. If you are in an office building, that have multiple tenants, you will most likely have to contend with several other wireless networks, where you may need to adjust signal strength and channels. Less signal strength means less outside people can connect to the network. If you do not want signals go reach outside, you need to: Reduce the transmit power of your AP to limit its coverage area to the desired sp
ace so that the signal does not leak outside. Use Signal Blocking Materials such as metal or dense foam to block signals from reaching areas where you don't want them. If you do choose to have signals outside and you want to protect the network, you need to ensure that you have strong encryption and authentication mechanisms to prevent unauthorized access. Wardriving involves hackers searching for wireless networks with vulnerabilities while moving around an area, usually in a moving vehicle. Th
ey use hardware and software to discover unsecured Wi-Fi networks then gain unauthorized access to the network by cracking passwords or decrypting the router. Again, you need to ensure you have strong encryption and authentication, and you have the installed the necessary updates including drivers and firmware. Routers, managed switches and firewalls can filter traffic based on IP.
Home routers can also perform IP filtering. You can create an:
Allow list, which nothing is allowed unless it is on
the list. Allow list is very restrictive.
Deny list, which allows all traffic unless it is on the deny list. The lists can be based on: Specific URLs, Domains and IP addresses Firewalls and some home routers can filter traffic based on content. Content filtering on home routers refers to the ability to control or restrict access to certain types of content on the internet It allows users to block specific websites, keywords, or categories of content deemed inappropriate or undesirable. Some hom
e routers will have parental control that will protect their children from accessing harmful or inappropriate material online Organizations to enforce acceptable use policies on their network Home routers and firewalls can provide anti-malware protection Content filter can also be based on URL filtering and website category filtering Firewalls and some home routers can provide stateful packet inspection (SPI), which is a form of intelligent filtering. Stateful firewalls will keep track of conver
sations that were initiated internally. If traffic is a response to a conversation, the network traffic is allowed into the network and routed to the respective client that started the conversation. If traffic is not a response to a conversation, the network traffic is blocked. Screened Subnets, also known as the demilitarized zone (DMZ), provides an additional layer of security between your internal network, and system and services that you need to be publicly accessible from the Internet. Typi
cally, web servers, email front end servers, external DNS servers, file transfer servers and proxy servers are found in screened subnets. When you connect to home wireless networks or corporate networks: You will have to specify the name of the wireless network or Service Set IDentifier (SSID) and usually a known passkey for the network Open system would not require an authentication password It is recommended to rename the SSID from the default wireless SSID, such as LINKSYS, DEFAULT, NETGEAR,
so that it not obvious what kind of wireless access point you are using. You should also disable SSID broadcasting, so that the SSID names are not broadcasted for all to see. However, keep in mind that SSID can easily be determined through wireless network. By hiding the SSID, you are performing security through obscurity. Using WPA2 or WPA3 encryption is a much better security solution There are multiple Wireless security protocols throughout the years. Wi‐Fi Protected Access (WPA) as an interi
m standard prior to the ratification of 802.11i standard. WPA provides strong data encryption via Temporal Key Integrity Protocol (TKIP). Wi‐Fi Protected Access 2 (WPA2) provides enhanced data encryption via Advanced Encryption Standard (AES), which meets the Federal Information Standard (FIPS) 140‐2 requirement of some government agencies. Wi‐Fi Protected Access 3 (WPA3) provides even more enhancements including Brute Force Protection, Public Network Privacy. WPA2 and WPA3 (if your devices supp
ort it) are recommended over others. WPA/WPA2/WPA3 can be divided into:
Personal
Enterprise WPA/WPA2/WPA3 Personal uses a pre-shared password, which is used by all connections WPA Enterprise, WPA2 Enterprise, and WPA3 Enterprise use 802.1X provides an authentication framework for wireless LANs Usually used in corporate environments Allowing a user to be authenticated by a central authority such as a RADIUS server Enterprise mode uses two sets of keys: the session keys and group keys. The session
keys are unique to each client associated between an access point and a wireless client. Group keys are shared among all clients connected to the same access point. Both sets of keys are generated dynamically and are rotated to help safeguard the integrity of keys over time. The encryption keys could be supplied through a certificate or smart card. Of these, Enterprise is more secure than Personal, since every connection uses a different key. Some home routers will have guest networks and/or Io
T networks available. Guest networks give you the convenience for your guest to connect to the Internet without having access to your internal network. Make sure you use a different password then your private network, and you should consider using WPA2 or WPA3 encryption. You might consider disabling guest networks to limit access to outsiders. Often, guest networks are often enabled by default. Some home routers will allow you to enable an IoT network, which is a dedicated wireless network to m
anage your IoT devices together, such as smart lights and cameras. This should always be enabled with Security, such as WPA2 or WPA3. In corporate networks, you will have a wall jack connect to a patch panel, which will connect to a switch. For better security, you should disable those ports where you don’t have anything connected and don’t expect anything to connect to the ports. You can administratively disable ports on switches. While enabling and disable ports is more work, it is more secure
. You can also use 802.1X to have the clients authenticate before they can connect to a switch or wireless access point. 802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization's dir
ectory, typically over the LDAP or SAML protocol. You can also use Network Access Control (NAC), which will not allow components to connect to the network if they are not compliant, such as if they do not have the newest operating system updates, or using an up-to-date anti-malware package. Port forwarding (also known as port mapping or static NAT) allows remote servers and devices on the internet to access the devices that are within your private local-area network and vice versa. Without port
forwarding, only devices that are part of the internal network can access each other, and with port forwarding, anyone can, including those from the Internet. Essentially, port forwarding maps an external IP and port number to an Internal IP/port. You do not have to use the same port for external and internal connections. Port forwarding can be used to remote access your internal systems, gaming, IP camera access and file sharing. While port forwarding provides convenience and flexibility, it al
so exposes devices and services to potential security risks. You need to ensure that the internal service is properly secured, or any vulnerabilities could be exploited. Therefore, it's crucial to implement port forwarding judiciously and apply appropriate security measures, including using strong passwords, keeping software up to date, and monitoring network traffic. Question: You configure a wireless access point inside a small office that is located in a crowded office building. Which of the
following should you perform to increase the security of the wireless network? (Choose two answers) Answer:
Reduce the transmit power and implement WPA2 or WPA3 encryption Question:
You just purchased a new SOHO Wi-Fi router. What is the first thing you should do? Answer:
Change the default password Question: When you set up a wireless network, what can you do if you are experiencing interference from other wireless networks? Answer:
Change the channels Question:
You replaced your SOHO router. H
owever, customers cannot access the company-hosted public website. Which of the following is most likely the problem? Answer:
You need to configure port forwarding Question:
Which of the following will you find on a DMZ? (Choose two answers) Answer:
SFTP server and web server. For more information, visit these sites: In Summary, When you acquire a router, switch or wireless access points, including any combination devices, you should change the default password and update the firmware. Universal
Plug and Play (UPnP) is a network protocol that allows apps and devices to open and close ports automatically in order to connect with each other. It should be disabled. Interference is a risk of running a wireless network and can bring down the network’s performance and availability. Wardriving involves hackers searching for wireless networks with vulnerabilities while moving around an area, usually in a moving vehicle. Routers, managed switches and firewalls can filter traffic based on IP (sp
ecific URLs, domains or IP addresses). Content filtering on home routers refers to the ability to control or restrict access to certain types of content on the internet Screened Subnets, also known as the demilitarized zone (DMZ), provides an additional layer of security between your internal network, and system and services that you need to be publicly accessible from the Internet. WPA2 and WPA3 (if your devices support it) are recommended over other encryption mechanisms. Some home routers wil
l have guest networks and/or IoT networks available. For better security, you should disable those ports where you don’t have anything connected and don’t expect anything to connect to the ports. You can also use 802.1X to have the clients authenticate before they can connect to a switch or wireless access point. Port forwarding (also known as port mapping or static NAT) allows remote servers and devices on the internet to access the devices that are within your private local-area network and vi
ce versa. Thank you for watching this video. The next video will be Security – Part 13 – Data Destruction and Disposal Methods. If you have not already, don’t forget to subscribe to the PatHasYourBack channel. Thank you.
Comments